Google’s Threat Intelligence Group (GTIG) reports a rapid shift in the tradecraft of the Russian‑language threat actor ColdRiver—also tracked as UNC4057, Callisto, and Star Blizzard. Following public analysis of its LostKeys toolset in May 2025, the group abandoned that implant and adopted a new chain built around NoRobot, YesRobot, and MaybeRobot, delivered primarily through ClickFix social engineering rather than traditional exploits.
Who is ColdRiver and what changed in their tooling
LostKeys had been used for cyber‑espionage against governments, journalists, and think tanks, focusing on exfiltrating files based on predefined extensions and directories. GTIG observed a tactical pivot within a week of LostKeys’ exposure: operators began deploying new payloads with different delivery logic and improved operational security to reduce forensic visibility.
ClickFix attacks: user‑driven execution over exploit chains
ClickFix is a social engineering technique that persuades victims to copy and run commands—most often PowerShell—under the guise of “fixing site display issues” or passing a fake CAPTCHA. Victims are redirected to crafted pages where they manually paste commands, unwittingly installing the malware. While the current wave targets Windows, similar campaigns have previously touched macOS and Linux. According to ESET, the prevalence of ClickFix as an initial access vector increased by 517% from H2 2024 to H1 2025.
ColdRiver’s evolving toolchain
NoRobot: persistence and staging
NoRobot is a DLL payload launched via rundll32.exe and often presented as a “verification” step in ClickFix or fake CAPTCHA flows. GTIG notes persistence through Registry modifications and Scheduled Tasks. Early variants fetched Python 3.8 for Windows to prepare the environment for the Python‑based backdoor YesRobot.
From YesRobot to the leaner MaybeRobot
YesRobot’s reliance on a visible Python installation increased detection risk in enterprise environments. ColdRiver quickly replaced it with MaybeRobot, a PowerShell script identified by Zscaler as Simplefix and linked to a September 2025 campaign dubbed BaitSwitch. This redesign reduces artifacts, blends into legitimate PowerShell activity, and complicates static detection.
Infection architecture and counter‑analysis techniques
Since June 2025, a streamlined NoRobot has been observed staging MaybeRobot, which supports a deliberately limited command set—only three commands—to minimize noise while maintaining control. The script reports execution results to multiple command‑and‑control (C2) endpoints, providing operators with reliable feedback across the operation.
A notable feature is cryptographic key splitting across components. The final payload decrypts only when the correct fragments from separate stages are combined. This design frustrates reverse engineering and hampers reconstruction of the full kill chain: if any stage is missing, the payload remains inaccessible.
Why the move from phishing to ClickFix matters
ColdRiver historically favored credential phishing for initial access. The pivot to ClickFix likely reduces dependency on exploit availability, evades email security controls, and leverages human trust in “self‑help” instructions. GTIG, ESET, and Zscaler observations also align with a retargeting hypothesis: using compromised address books and prior correspondence to push second‑stage access directly to endpoints, expanding collection beyond cloud accounts to host‑resident data.
Defensive guidance against ClickFix and PowerShell malware
Organizations should prioritize layered controls that restrict user‑initiated command execution and spotlight suspicious PowerShell and DLL activity. Key measures include:
- Block unapproved PowerShell commands; train users to spot ClickFix lures such as fake CAPTCHAs and “display fixes.”
- Enable PowerShell Script Block Logging and AMSI; enforce Constrained Language Mode; apply WDAC/AppLocker to limit script and binary execution.
- Monitor anomalies in
rundll32.exeusage, unfamiliar DLLs in user profiles, new Scheduled Tasks, and Registry autoruns. - Control interpreter installations (e.g., Python) and flag atypical usage in enterprise environments.
- Hunt with EDR for multi‑C2 beacons and repeat delivery attempts following phishing incidents.
ColdRiver’s rapid adaptation—shift to ClickFix, rotation of implants, and key‑splitting encryption—highlights the resilience of modern espionage campaigns. Strengthening PowerShell governance, discouraging copy‑paste execution from web pages, and focused user education can meaningfully reduce initial access success and compress the window for NoRobot/MaybeRobot deployment. Proactive logging, attack surface reduction, and routine threat‑hunting against these TTPs remain essential to raising the cost of intrusion.
